Bitsight Uncovers Proxy Service Powered by the Socks5Systemz Botnet

According to a recent report from Bitsight, a malicious botnet called Socks5Systemz is fueling a proxy service known as PROXY.AM. This proxy software adds anonymity layers to criminal activities on public networks. Attackers can execute malicious actions using connections from infected machines or unrelated users, hiding the true source of their attacks.

Origins and Evolution
Socks5Systemz first appeared on underground cybercrime forums in March 2013. Bitsight identified it as part of cyberattacks distributing malware like PrivateLoader, SmokeLoader, and Amadey. Its primary role today is converting infected systems into proxy exit nodes, which PROXY.AM then advertises to buyers, often cybercriminals, looking to mask their activity. The illegal proxy service has been active since 2016.

Scale of Infection
By January 2024, the botnet had grown to an estimated 250,000 infected machines daily. Current estimates place this figure between 85,000 and 100,000. As of this writing, PROXY.AM claims to offer 83,443 proxy nodes spanning 52 countries. The most affected countries include India, Indonesia, Ukraine, Algeria, Vietnam, Russia, Turkey, Brazil, Mexico, and Pakistan, among others.

How It Works
PROXY.AM markets its service as “elite, private, and anonymous proxy servers,” with prices ranging from $126/month for an “Unlimited” plan to $700/month for a “VIP” package.

New Attack Vectors
The report coincides with findings from Trend Micro, which detail attacks on misconfigured Docker Remote API servers. Hackers deployed malware from the Gafgyt botnet by exploiting weak SSH passwords and poorly secured Docker instances.

Security researcher Sunil Bharti explained, “Attackers target exposed, misconfigured Docker Remote API servers to deploy malware via containers built from legitimate images like ‘alpine’.” In addition to spreading malware, attackers use such botnets to infect more machines.

Cloud Misconfigurations: A Growing Problem
Cloud misconfigurations continue to be prime targets. Attackers exploit them to mine cryptocurrency, steal data, or expand their botnet networks. A recent study by researchers at Leiden University and TU Delft found 215 cases of exposed credentials granting unauthorized access to databases, cloud infrastructure, and third-party APIs. Most incidents occurred in the U.S., India, Australia, the U.K., Brazil, and South Korea, impacting sectors like IT, retail, finance, education, media, and healthcare.

The Bigger Picture
Proxy services like PROXY.AM aren’t new but are becoming more significant. Their growing presence on darknet forums enables criminals to perform malicious activities under multiple layers of anonymity. This allows botnets like Socks5Systemz to remain in the shadows while fueling widespread cyberattacks.

For over 10 years, Socks5Systemz operated quietly as a SOCKS5 proxy module within other malware. Bitsight’s findings expose the largest known proxy network powered by the botnet to date.